[dns-operations] thoughts on DNSSEC

[WBrown at e1b.org]

James M Galvin <galvin at elistx.com> wrote on 07/19/2012 12:03:22 PM:

> I have evolved to what I consider a more practical view of this issue 
> over the years.  I'm certainly open to reconsideration but here's what 
> I think today in one sentence: as a practical matter this is not a 
> significant problem.

True, but as DNSSEC adoption increases, significance will increase as 
well.
 
> I absolutely believe we have a major gaping hole technically, so don't 
> get me wrong.  We should absolutely be seeking better ways to get child 
> key information in to the parent zone.  But that's a separate 
> discussion.

Agreed, with the proviso that some method to upload key records needs to 
exist for all registrars.  Many of use have seen great strides in software 
ease of use during our lifetimes.  My parents had a neighbor who thought 
the greatest improvement in her lifetime was indoor plumbing.  Someday, 
users will never have experienced insecure DNS queries.
 
> Here's my rationale for what I believe.
> 
> Consider the domain name market in an 80-20 split.  I assert that for 
> 80% of the market none of this will matter.  The 80% portion of the 
> market gets bundled services - domain name, email, web hosting, dns, 
> etc.  In that market their DNSSEC services will simply be provided and 
> they will not know, care, or understand any of the problem you 
> describe.  They will not know the difference between a web site failure 
> or some kind of DNS failure and they won't care.  "Down" for 2 days: oh 
> well.  They are going to get the same level of service for the DNS 
> failures as they do for their web site failures and they deal with this 
> just fine today.  DNSSEC does not change this business model or service.

I'm not sure I know anyone that won't be beaching up a storm with a 2 day 
outage.  We are an organization that provides DNS, email and web hosting 
to over 100 schools and related organizations in the area.  I guess that 
makes us part of the 20% for which this matters.  We rely on outside 
registrars, and unfortunately we've been using Network Solutions for 
years.  Until now, I have not had any complaints about them.  They never 
screwed up anything on me.  I guess if they don't allow me to upload DS 
records, I can't blame them for DNSEC failures.
 
> We can have a discussion of whether or not DNSSEC should change the 
> business model or service.  I happen to think it should.  I also think 
> it will, in time, although I'm not going to try to predict it, except 
> perhaps to talk about events that will show the change is in progress. 
> But that's a separate discussion.
> 
> For the remaining 20% I'll assert that they are technically competent, 
> which means if they have fat finger issues, well, we've all had those 
> problems.  You get what you deserve and pay for.  What I mean is, these 
> folks will either be doing their DNS themselves, because they can, or 
> they will be using a third-party service provider.  In either case, 
> with any luck they will be using a registrar with a higher level of 
> service because they understand the risks and don't want the service 
> interruption.  If they're not then they'll have a "mistake" and they'll 
> change registrars because they will learn from their "mistake".

I like to think I'm somewhat competent, but also recognize I have limits 
on what I know and can do.  I am reading all I can (hence being on this 
list) and testing with a non-production domain.  I have fat fingered BIND 
and brought domains down.  I've blown up mail servers and killed web 
servers.  Own up, apologize and promise to not make the same dumb mistake 
again.

I'm thinking my mistake here was thinking that a registrar would want to 
offer DNSSEC to it's customer.  Perhaps it is time for me to acknowledge 
that mistake and work on moving domains to another registrar.  There will 
be a lot of organizational inertia to overcome here to do so.  When I 
requested transfer code for my personal domain, NetSol was all "boo hoo 
hoo, what can we do to keep you as a customer?"  It's easy.  Lower your 
prices.  I will pay a premium for good service, but they are not providing 
that.  And offer DNSSSEC to your customers.  One of the times I spoke to 
their tech support, the person had no bloody clue what DNSSEC was.  Hell, 
they could have have provided her with a buzzword chart list DNSSEC with a 
"we don't support that yet" answer.  And she would not put me through to 
second tier support, insisting she could help me.
 
> In other words, the probability of a problem for the 20% is much lower 
> than the probability of a problem for the 80%.  And it is the problems 
> in the 20% that will be most visible.  The problems in the 80% will 
> happen but are unlikely to have a significant on anything in particular.

If I'm in the 20%, I'll do my best to prevent the problems.  I hate being 
visible.

See http://dilbert.com/strips/comic/1995-08-18/  One of my all time 
favorites!!


 
> That's what I think.

Thanks for sharing
 
> Jim

Bill




Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.